Home Forensics Tools Gxss – Tool to Check URLs That Contain Reflecting Params

Gxss – Tool to Check URLs That Contain Reflecting Params

April 26, 2022 Leave a Comment
Gxss Tool to Check URLs That Contain Reflecting Parameter xploitlab

Gxss

Gxss is a tool to check a bunch of URLs that contain reflecting params.

This a light weight tool for checking reflecting Parameters in a URL. Inspired by kxss by @tomnomnom.

How It Works

  1. It takes Urls from STDIN
  2. It check for the reflected value on params one by one. (There are some tool like qsreplace which replace all params value but gxss checks payload one by one which makes it different from all those tools.)
For Example- 
Url is https://example.com/?p=first&q=second

First it will check if p param reflects
https://example.com/?p=Gxss&q=second

Then it will check if q param reflects
https://example.com/?p=first&q=Gxss

  1. If reflection for any param is found it tells which param reflected in response.

Installation

go install github.com/KathanP19/Gxss@latest

Demo Video

Usage

                  
 _____ __ __ _____ _____ 
|   __|  |  |   __|   __|
|  |  |-   -|__   |__   |
|_____|__|__|_____|_____|
                         
        4.0 - @KathanP19

Usage of Gxss:
  -c int
        Set the Concurrency (default 50)
  -d string
        Request data for POST based reflection testing
  -h value
        Set Custom Header.
  -o string
        Save Result to OutputFile
  -p string
        Payload you want to Send to Check Reflection (default "Gxss")
  -u string
        Set Custom User agent. Default is Mozilla (default "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36")
  -v    Verbose mode
  -x string
        Proxy URL. Example: http://127.0.0.1:8080

Checking Single Url

echo “https://target.com/some.php?first=hello&last=world” | Gxss -c 100

Checking List of Urls

cat urls.txt | Gxss -c 100 -p XssReflected

Save Urls Which have Reflecting Params in a file for further analysis

cat urls.txt | Gxss -c 100 -o Result.txt

For verbose mode -v

cat urls.txt | Gxss -c 100 -o Result.txt -v

Send Custom Header -h

cat urls.txt | Gxss -c 100 -p Xss -h “Cookie: Value”

Send Custom User-Agent -u

cat urls.txt | Gxss -c 100 -p Xss -h “Cookie: Value” -u “Google Bot”

Use Case or How to add to your workflow

echo “testphp.vulnweb.com” | waybackurls | httpx -silent | Gxss -c 100 -p Xss | sort -u | dalfox pipe

Dalfox is Xss Scanner by @hahwul

Download Gxss

You May Also Like

OpenRedireX - Open Redirect Scanner and Fuzzer Tool

OpenRedireX – Open Redirect Scanner and Fuzzer Tool

Mantra - Tool to Find API key and Sensitive Information Leaks in JS Files and Pages

Mantra – Tool to Find API key Leaks in JS Files & Pages

Bypass 403 - Simple Script Tool For Bypassing 403 Forbidden Response

Bypass 403 – Simple Script For Bypassing 403 Forbidden Response

Burpgpt - Connect OpenAI gpt with burp suite to detect security vulnerabilities that traditional scanners might miss

Burpgpt –  Integrate OpenAI GPT with Burp Suite to Discover Highly Bespoke Vulnerabilities

WaybackSQLiScanner automatically gather urls from wayback machine then test each GET parameter for sql injection

waybackSqliScanner – Tool to Gather URLs from Wayback Machine Then Test For SQL Injection

Commix - Tool to automates the process of command injection detection and exploitation

Commix – Automated OS Command Injection Exploitation Tool

Leave a Reply

Your email address will not be published. Required fields are marked *

two + 13 =